formbook | 310148ae5e69b2ccfd91c5e3af16d0bfbe3c6aba0d348b5512a4932af2afaf17

General

Target

PI L032452021xxls.exe
Size

706KB
MD5

73c7fda15888b3b6cc025ce3d5f83161
SHA1

78b8467853dc5bdba4dd28a8602902fcc210f67c
SHA256

69394a249833f97289151fa8334f32e0b0467ce4ecb164b0706784fb836136a6
SHA512

dbb943a00e2c24dc0926f36b81409d28789a10d20b8e4043b2545eff1daa74448bc324ada5376e582757ce3db916042747b7939648d8ed102fe2be305ffe872a

Score

10^/10

formbook ergs rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ergs

C2

http://www.barry-associates.com/ergs/

Decoy

jardineriavilanova.com

highkeyfashionboutique.com

willingtobuyyourhouse.com

ysfno.com

bjkhjzzs.com

hexmotif.com

intentionalerror.com

nuu-foundfreedom.com

catalystspeechservices.com

blackmybail.com

xntaobaozhibo.com

site-sozdat.online

45quisisanadr.com

ipawlove.com

yifa5188.com

admm.email

houseoftealbh.com

scale-biz.com

vdvppt.club

loveandlight.life

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/988-124-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/988-125-0x000000000041EB70-mapping.dmp	formbook
behavioral2/memory/2840-133-0x0000000003060000-0x000000000308E000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

PI L032452021xxls.exePI L032452021xxls.exeNETSTAT.EXE

description	pid	process	target process
PID 900 set thread context of 988	900	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 988 set thread context of 8	988	PI L032452021xxls.exe	Explorer.EXE
PID 988 set thread context of 8	988	PI L032452021xxls.exe	Explorer.EXE
PID 2840 set thread context of 8	2840	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

2840 NETSTAT.EXE

pid	process
2840	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

PI L032452021xxls.exePI L032452021xxls.exeNETSTAT.EXE

pid	process
900	PI L032452021xxls.exe
900	PI L032452021xxls.exe
988	PI L032452021xxls.exe
988	PI L032452021xxls.exe
988	PI L032452021xxls.exe
988	PI L032452021xxls.exe
988	PI L032452021xxls.exe
988	PI L032452021xxls.exe
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE
2840	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

8 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

PI L032452021xxls.exeNETSTAT.EXE

pid process

988 PI L032452021xxls.exe
988 PI L032452021xxls.exe
988 PI L032452021xxls.exe
988 PI L032452021xxls.exe
2840 NETSTAT.EXE
2840 NETSTAT.EXE

pid	process
8	Explorer.EXE

pid	process
988	PI L032452021xxls.exe
988	PI L032452021xxls.exe
988	PI L032452021xxls.exe
988	PI L032452021xxls.exe
2840	NETSTAT.EXE
2840	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PI L032452021xxls.exePI L032452021xxls.exeNETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	900	PI L032452021xxls.exe
Token: SeDebugPrivilege	988	PI L032452021xxls.exe
Token: SeDebugPrivilege	2840	NETSTAT.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

8 Explorer.EXE

pid	process
8	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

PI L032452021xxls.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 900 wrote to memory of 2868	900	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 900 wrote to memory of 2868	900	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 900 wrote to memory of 2868	900	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 900 wrote to memory of 988	900	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 900 wrote to memory of 988	900	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 900 wrote to memory of 988	900	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 900 wrote to memory of 988	900	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 900 wrote to memory of 988	900	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 900 wrote to memory of 988	900	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 8 wrote to memory of 2840	8	Explorer.EXE	NETSTAT.EXE
PID 8 wrote to memory of 2840	8	Explorer.EXE	NETSTAT.EXE
PID 8 wrote to memory of 2840	8	Explorer.EXE	NETSTAT.EXE
PID 2840 wrote to memory of 3828	2840	NETSTAT.EXE	cmd.exe
PID 2840 wrote to memory of 3828	2840	NETSTAT.EXE	cmd.exe
PID 2840 wrote to memory of 3828	2840	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:8

C:\Users\Admin\AppData\Local\Temp\PI L032452021xxls.exe
"C:\Users\Admin\AppData\Local\Temp\PI L032452021xxls.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\PI L032452021xxls.exe
"C:\Users\Admin\AppData\Local\Temp\PI L032452021xxls.exe"
3⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\PI L032452021xxls.exe
"C:\Users\Admin\AppData\Local\Temp\PI L032452021xxls.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PI L032452021xxls.exe"
3⤵
PID:3828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/8-128-0x0000000002560000-0x000000000261B000-memory.dmp

Filesize
748KB

Download
memory/8-137-0x0000000006350000-0x0000000006461000-memory.dmp

Filesize
1.1MB

Download
memory/8-130-0x0000000005DD0000-0x0000000005EE4000-memory.dmp

Filesize
1.1MB

Download
memory/900-116-0x0000000005E40000-0x0000000005E41000-memory.dmp

Filesize
4KB

Download
memory/900-117-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/900-118-0x0000000005940000-0x0000000005E3E000-memory.dmp

Filesize
5.0MB

Download
memory/900-119-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/900-120-0x0000000008D90000-0x0000000008D97000-memory.dmp

Filesize
28KB

Download
memory/900-121-0x0000000008E80000-0x0000000008E81000-memory.dmp

Filesize
4KB

Download
memory/900-122-0x00000000075F0000-0x0000000007654000-memory.dmp

Filesize
400KB

Download
memory/900-123-0x000000000B810000-0x000000000B83F000-memory.dmp

Filesize
188KB

Download
memory/900-114-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/988-125-0x000000000041EB70-mapping.dmp

Download
memory/988-127-0x0000000001700000-0x0000000001714000-memory.dmp

Filesize
80KB

Download
memory/988-126-0x0000000001750000-0x0000000001A70000-memory.dmp

Filesize
3.1MB

Download
memory/988-129-0x0000000001C30000-0x0000000001C44000-memory.dmp

Filesize
80KB

Download
memory/988-124-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2840-131-0x0000000000000000-mapping.dmp

Download
memory/2840-132-0x0000000000B90000-0x0000000000B9B000-memory.dmp

Filesize
44KB

Download
memory/2840-133-0x0000000003060000-0x000000000308E000-memory.dmp

Filesize
184KB

Download
memory/2840-134-0x0000000003770000-0x0000000003A90000-memory.dmp

Filesize
3.1MB

Download
memory/2840-136-0x00000000034D0000-0x0000000003563000-memory.dmp

Filesize
588KB

Download
memory/3828-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads